AppArmor oops when loading an empty profile
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| linux (Ubuntu) |
Fix Released
|
Medium
|
John Johansen | ||
Bug Description
The apparmor.d(5) manpage technically does say that an APPARMOR_PROFILE consists of nonempty statements. However, AppArmor will rudely enforce this by oopsing the kernel. This is confirmed on a Lucid 2.6.32-8 kernel checked out from its git repo. I have not confirmed this on other kernels yet.
TEST CASES:
(1) Note apparmor_parser validates this profile:
[jdong@
apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
profile boom {}
^D
----- Debugging built structures -----
Name: boom
Profile Mode: Enforce
Capabilities:
[jdong@
0
(2) Now, try to load this profile into the kernel
[jdong@
apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
profile boom {}
[1] 6003 killed sudo apparmor_parser --add -K
(3) Looking in dmesg:
[184066.515809] BUG: unable to handle kernel NULL pointer dereference at (null)
[184066.515817] IP: [<ffffffff8125e
[184066.515867] PGD 5c974067 PUD 35d9d067 PMD 0
[184066.515872] Oops: 0000 [#7] SMP
[184066.515876] last sysfs file: /sys/devices/
[184066.515885] CPU 0
[184066.515891] Modules linked in: vmblock vmmemctl vmhgfs pvscsi isofs udf crc_itu_t acpiphp binfmt_misc sha256_generic cryptd aes_x86_64 aes_generic dm_crypt snd_ens1371 gameport snd_ac97_codec ac97_bus snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer snd_seq_device ppdev lp iptable_filter parport_pc snd soundcore ip_tables x_tables snd_page_alloc psmouse serio_raw parport i2c_piix4 shpchp btrfs zlib_deflate crc32c libcrc32c floppy e1000 mptspi mptscsih mptbase scsi_transport_spi intel_agp
[184066.515940] Pid: 6003, comm: apparmor_parser Tainted: G D 2.6.32-8-generic #11 VMware Virtual Platform
[184066.515943] RIP: 0010:[<
[184066.515948] RSP: 0018:ffff88001d
[184066.515951] RAX: ffff880000496000 RBX: ffff88001d4d5e58 RCX: ffff880038c5125c
[184066.515953] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88001d4d5e18
[184066.515956] RBP: ffff88001d4d5e48 R08: 0000000000000000 R09: 0000000000000000
[184066.515958] R10: 0000000000000001 R11: 0000000000000002 R12: ffff88001d4d5e18
[184066.515961] R13: ffff88001d4d5f48 R14: 0000000000000001 R15: 0000000000000000
[184066.515981] FS: 00007f35567d870
[184066.515985] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[184066.515987] CR2: 0000000000000000 CR3: 000000004bce9000 CR4: 00000000000006f0
[184066.516023] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[184066.516047] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
[184066.516051] Process apparmor_parser (pid: 6003, threadinfo ffff88001d4d4000, task ffff880042a62ac0)
[184066.516103] Stack:
[184066.516105] ffff880038c51200 ffff880038c51273 ffff880038c51273 0000000000000005
[184066.516109] <0> ffff88001d4d5e58 0000000000000073 ffff88001d4d5ec8 ffffffff8125dffb
[184066.516114] <0> 0000000000000000 0000000000000020 ffffffff81710bfb 0000000000000000
[184066.516119] Call Trace:
[184066.516124] [<ffffffff8125d
[184066.516134] [<ffffffff81037
[184066.516139] [<ffffffff8125a
[184066.516146] [<ffffffff81127
[184066.516152] [<ffffffff81548
[184066.516156] [<ffffffff81127
[184066.516163] [<ffffffff81012
[184066.516166] Code: 4c 89 e7 e8 46 fb ff ff 48 3d 00 f0 ff ff 0f 87 f2 01 00 00 44 8b 15 77 c2 58 00 45 85 d2 74 8d 48 8b 50 78 44 8b 88 80 00 00 00 <48> 8b 3a 44 8b 57 08 45 85 d2 0f 84 72 ff ff ff 48 83 c7 0c 45
[184066.516202] RIP [<ffffffff8125e
[184066.516206] RSP <ffff88001d4d5e18>
[184066.516208] CR2: 0000000000000000
[184066.516211] ---[ end trace c18b1f57d3da0166 ]---
On the bright side, the only effect seems to be a SIGKILL'ed apparmor_parser -- the kernel doesn't appear to be wedged in anyway after the fact. Still -- either apparmor_parser should refuse to load such a profile, or the kernel should handle this a lot more gracefully!
| tags: | added: kernel-series-unknown |
| tags: |
added: lucid removed: kernel-series-unknown |
| Changed in linux (Ubuntu): | |
| importance: | Undecided → Medium |
| status: | New → Triaged |
| Changed in linux (Ubuntu): | |
| assignee: | nobody → John Johansen (jjohansen) |
| Launchpad Janitor (janitor) wrote | #1 |
| Changed in linux (Ubuntu): | |
| status: | Triaged → Fix Released |
This bug was fixed in the package linux - 2.6.32-14.19
---------------
linux (2.6.32-14.19) lucid; urgency=low
[ Andy Whitcroft ]
* ensure we build the source package contents when enabled
- LP: #522308
* [Config] enable CONFIG_
* SAUCE: AppArmor -- add linux/kref.h for struct kref
* [Config] enable CONFIG_HID_ORTEK
* enable udeb generation for arm versatile flavour
- LP: #522515
[ John Johansen ]
* ubuntu: AppArmor -- update to mainline 2010-02-18
- LP: #439560, #496110, #507069
[ Johnathon Harris ]
* SAUCE: HID: add support for Ortek WKB-2000
- LP: #405390
[ Upstream Kernel Changes ]
* tpm_tis: TPM_STS_DATA_EXPECT workaround
- LP: #490487
* x86, mce: Xeon75xx specific interface to get corrected memory error
information
* x86, mce: Rename cpu_specific_poll to mce_cpu_
* x86, mce: Make xeon75xx memory driver dependent on PCI
* drm/edid: Unify detailed block parsing between base and extension
blocks
- LP: #500999
* (pre-stable) eCryptfs: Add getattr function
- LP: #390833
-- Andy Whitcroft <email address hidden> Thu, 18 Feb 2010 19:22:02 +0000